This is a highly debated topic on the Qubes OS Forum, with threads questioning why a security-oriented OS like Qubes uses Fedora for its central domain (dom0), given concerns like corporate influence, origins of key security features, and release stability. Specifically, Fedora is primarily sponsored by Red Hat (owned by IBM), its core security feature SELinux was originally developed by the NSA, and it follows a rapid 6-month release cycle, which can lead to instability or rushed updates in a security-focused context.
Additionally, Qubes’ own release cycle is roughly every 2 years, meaning the Fedora version underpinning dom0 often becomes EOL well before Qubes updates it, leaving a year or more of potential unpatched exposure. That’s a troubling gap for something as critical as Qubes.
I share reservations about Debian’s 2-year major release cycle, as it can lag on bleeding-edge security updates. But 6 months is far too short for a stable, thoroughly tested base in security-focused systems like Whonix, neither is perfect, but Debian’s emphasis on stability makes it a stronger fit overall for minimizing risks in a privacy/anonymity tool.